Public Sector banks at a higher threat of cyber attack than private banks, says RBI DG

MUMBAI: The Reserve Bank of India has said that Indian banks are being lax in reporting cyber attacks to the regulator exposing the financial system and that state run banks are at a higher risk of such crimes than their private peers.

Indian banks do not necessarily have the skilled human resources to tackle the rising frauds – both online and in physical transactions – though they are hiring people, said S. S. Mundra, deputy governor at the RBI.

"RBI has mandated that all unusual cyber-incidents have to be reported within 2 to 6 hours invariably. We observe that banks take much longer time in reporting the incident," Mundra said at a Seminar on Financial Crimes Management recently. "Barring a few banks the gaps are indeed significant, more so in respect of public sector banks. This warrants immediate and continued attention of the Board and the senior management of the banks."

Cyber attacks on Indian banks are on the rise with about four banks’ systems being compromised in the past few months. Data on almost 3.2 million cards were compromised recently exposing customers to losses. But the problem for the regulator has also been that banks hide information about cyber attacks fearing negative publicity which makes prevention of such attacks in the future also difficult.

While highlighting the cyber breach of the debit card network of banks last year he said that the traditional ways of allocating funds for IT services and cyber security needed to undergo a radical change so that banks could devise effective solutions against such threats.

Mundra said bankers need to change the approach to work as well since the new age developments require attitudinal changes.

"We have always known banking to be a relationship built on trust. However, when we talk about cyber security I tend to believe that 'zero trust' is the way to address it. What I am hinting at is that physical and logical access controls must work as designed and only such employees who ‘need to know’ the intricacies of the application software/programmes must have access to them."